safe_read and safe_write return size_t and define SAFE_READ_ERROR and
SAFE_WRITE_ERROR as error return values.  We had previously been
assigning their result to a signed value.  As a result, whether
passthrough, pipeline_pump, and get_block would detect read/write errors
was implementation-defined.

* lib/pipeline.c (passthrough, get_block): Assign safe_read return value
to a size_t rather than a signed integer type, and check for
SAFE_READ_ERROR rather than negative values.
(pipeline_pump): Assign safe_write return value to a size_t rather than
an ssize_t, and check for SAFE_WRITE_ERROR rather than negative values.
* NEWS: Document this.